Bug 1990844

Summary: RFE: Please enable libsodium support in php
Product: Red Hat Enterprise Linux 9 Reporter: Neal Gompa <ngompa13>
Component: phpAssignee: Remi Collet <rcollet>
Status: CLOSED WONTFIX QA Contact: rhel-cs-infra-services-qe <rhel-cs-infra-services-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: CentOS StreamCC: bstinson, carl, jorton, jwboyer, ssorce
Target Milestone: betaKeywords: FutureFeature, Reopened
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-10 14:24:14 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Neal Gompa 2021-08-06 12:15:28 UTC 
Description of problem:
The PHP stack has libsodium support disabled, which severely cripples or breaks the ability for PHP web applications to do secure password hashing, among other things.

For example, Symfony-based web applications based on Symfony 3.4 can and will use argon2i algorithms[1], and Symfony-based web applications based on Symfony 4.3 can and will use sodium for this[2]. This is required for Symfony's secrets management system[3], too.

Please reconsider and enable the sodium extension in PHP.

[1]: https://symfony.com/blog/new-in-symfony-3-4-argon2i-password-hasher
[2]: https://symfony.com/blog/new-in-symfony-4-3-sodium-password-encoder
[3]: https://symfony.com/doc/current/configuration/secrets.html

Version-Release number of selected component (if applicable):
8.0.6-6.el9
Comment 2 Josh Boyer 2021-08-06 12:27:42 UTC 
libsodium is not part of the CentOS Stream/RHEL content set and has known issues for certification compliance.  It is also identified as an unwanted package in the ELN content resolver:

https://github.com/minimization/content-resolver-input/blob/master/configs/sst_security_crypto-unwanted.yaml

We will not be adding it at this time and therefore PHP cannot enable support for it.
Comment 3 Neal Gompa 2021-08-06 13:06:04 UTC 
(In reply to Josh Boyer from comment #2)
> libsodium is not part of the CentOS Stream/RHEL content set and has known
> issues for certification compliance.

The problem with this is that ever since the sodium extension was bundled into PHP with PHP 7.2[1], applications have been increasingly adopting it. And even in the RFC, the PHP community has taken the stance (for better or worse) that OpenSSL does not provide adequate security.

What am I supposed to do when a bundled extension that is now only part of the core and is increasingly required by applications? It's a unique API provided by PHP rather than an implementation detail of some generic API in PHP.

[1]: https://wiki.php.net/rfc/libsodium
Comment 4 Carl Schwan 2021-08-06 16:11:01 UTC 
Just to add a comment as a PHP developer (and who encountered this problem today). One problem with not providing php-sodium is that once a database has password hashed with argon2i (for example using remirepo or another Linux distribution), it is then impossible to verify them on a rhel/centos machine with the official repo without installing a polyfill of a dubious quality.

For PHP >= 7.4 having PHP compiled with the libsodium package is not recommended anymore but what is needed to solve the problem is having php-sodium extension at least on epel (and so not officially supported).
Comment 5 Josh Boyer 2021-08-06 17:12:03 UTC 
(In reply to Carl Schwan from comment #4)
> Just to add a comment as a PHP developer (and who encountered this problem
> today). One problem with not providing php-sodium is that once a database
> has password hashed with argon2i (for example using remirepo or another
> Linux distribution), it is then impossible to verify them on a rhel/centos
> machine with the official repo without installing a polyfill of a dubious
> quality.
> 
> For PHP >= 7.4 having PHP compiled with the libsodium package is not
> recommended anymore but what is needed to solve the problem is having
> php-sodium extension at least on epel (and so not officially supported).

Thank you for the added data point.  Unfortunately, it is unlikely to change the answer to this RFE.  We can leave the bug open if you'd like, but our intentions are to be as clear as possible that we do not intend to include libsodium in RHEL 9/CentOS Stream 9.

(For future reference on process, this would really need two bugs.  The first against the distribution component to add libsodium, which again will not be added.  Then a bug such as this against PHP to enable the feature.)
Comment 7 Remi Collet 2021-08-09 13:27:58 UTC 
(In reply to Carl Schwan from comment #4)

> what is needed to solve the problem is having
> php-sodium extension at least on epel (and so not officially supported).

For now it is no possible to build extensions for modules
https://pagure.io/epel/issue/75

For EPEL-8 this is a major blocker.

For EPEL-9 things could seem better as php is no more a module
so it will be possible to provide php-sodium there.

But only for default PHP version 8.0, not for possible future
versions probably shipped as modules. So can be considered as
worst, as using extensions from EPEL will forbid the update
to any newer versions.


BTW, workaround exists...
(other 3rd party repo, of course unsupported)
Comment 8 Joe Orton 2021-08-10 14:24:14 UTC 
Reopening this will not change the fact that libsodium will not ship in RHEL9.

At some point OpenSSL will hopefully ship an argon implementation and that can become accessible via PHP in RHEL. That is not planned for 3.0.0 so is also unlikely to happen for RHEL 9.0.  When there is a feasible route to supporting Argon in PHP let's track that.